A guide to HIPAA compliance for business phone systems

Among the many challenges of running a medical or dental practice is complying with an important yet complex law called the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.

HIPAA applies to many aspects of running a healthcare office, including phone calls and related communications activity such as faxes, texts and videoconferences.

Here’s a guide to some of the HIPAA considerations when looking for business phones or unified communications as a service (UCaaS).

What is HIPAA?

HIPAA is a federal law addressing the confidentiality, security and accessibility of patient medical records, known under the law as Protected Health Information or PHI.

The law is enforced by the U.S. Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR).

HHS offers in-depth information on its website, including a section on HIPAA for healthcare professionals at http://www.hhs.gov/hipaa/for-professionals/index.html.

Why is HIPAA compliance important?

Few people would disagree with the spirit of HIPAA—keeping patients’ medical information confidential and secure, as well as giving them rights to access that information—even if the letter of the law can sometimes be complicated.

On a more practical level, there can be significant reputational and financial consequences for HIPAA violations.

How does HIPAA apply to business phone systems and unified communications?

Internet-based phone and unified communications systems can contain Protected Health Information in many ways, such as a voicemail from a patient describing a medical problem, a copy of a virtual fax to an insurance company detailing a treatment plan, text messages between a dentist and a patient discussing an upcoming root canal, or a call recording between a doctor and a patient discussing test results.

Healthcare practitioners must either make sure they don’t create such data or ensure such data is properly managed and protected.

Note that phone and video calls are not subject to HIPAA requirements as long as no information is recorded or saved.

Are there HIPAA-certified phone systems?

No. This is a common misunderstanding. The Department of Health and Human Services does not offer any certification program to confirm that a third-party offering, such as phone service, meets all HIPAA requirements. Nor does any other government agency.

There are private firms that audit healthcare service providers and award their own home-grown HIPAA compliance logos—typically for a fee. But these awards are in no way legally binding.

What policies can help with HIPAA compliance for business phone systems?

HIPAA compliance depends as much on how a system is used as the protections built into the system itself.

Consider a traditional fax machine used to send billing information to an insurance company. Sending and receiving faxes containing PHI generally does not risk violating HIPAA because no data is stored. However, if the sheets of paper remain in the fax machine after transmission, and that fax machine is in area where multiple employees or even patients have access, there is a potential HIPAA violation.

On the flip side, there’s less risk in using phones, faxes or videoconferencing systems if no PHI is involved.

For example, there may be fewer HIPAA concerns with recording a videoconference for continuing medical education, as long as no individual patients are discussed, or receiving an unencrypted voice mail message from a patient who is only requesting a change in an appointment time.

In short, anyone in a medical or dental practice who discusses PHI with patients or handles PHI needs to be trained on that practice’s policies for HIPAA compliance.

How can Ooma Office be configured for HIPAA compliance?

Ooma Office offers a feature called HIPAA mode designed to help health-care organizations to meet HIPAA requirements.

To configure the system to be consistent with a customer’s HIPAA obligations, the administrator for an Ooma Office account goes to the System tab in the Ooma Office Manager portal, selects the HIPAA option and clicks ACCEPT TERMS.

The administrator will then be asked to virtually sign a Business Associate Agreement (BAA), which sets forth the parties’ understanding about how PHI will be handled.

When HIPAA mode is enabled, data is encrypted “in transit,” when being transmitted from one party to another, and “at rest,” when stored by Ooma. This applies to four types of data:

• Voicemails

• Phone call recordings

• Videoconference recordings

• Faxes

In addition, text messaging, also known as SMS, is disabled.

Also, email notifications of new voicemail messages and call recordings do not include attached audio files.

For more information on using Ooma Office in a manner consistent with your HIPAA obligations, go to https://support.ooma.com/office/hipaa-support-on-ooma-office/.

All of the advice above is intended to help medical and dental practices take advantage of the power and flexibility of VoIP phone service and unified communications while keeping HIPAA requirements in mind. However, healthcare providers need to remember that they are ultimately responsible for complying with HIPAA. Even the most secure technology can be used in an insecure way that creates a potential HIPAA violation. This is why training all employees who handle PHI is so important.

Contact your Ooma sales rep or call our customer support line if you have questions.